Current Account: Cyberattacks Are Banks’ Latest ‘Existential Risk’

“Wanted: ethical hackers willing to launch repeated cyberattacks on a major U.S. bank to test its defenses. Competitive pay and discretion assured.”

I made up the advertisement — there are few ads in the world of hacking — but the trend is real.

At least one large U.S. lender has hired hackers in recent months to simulate full-blown attacks on its systems. Cyber-experts say that many other firms do it in-house, splitting their technology whiz kids into groups of attackers and defenders to get as close as possible to real-life assaults on their firewalls.

As cyberterrorists train their sights on U.S. financial infrastructure, banks, regulators and savers need to up their game. Lenders, especially smaller ones, should be afraid. Very afraid.

Some already have. Late last year, a spate of “denial of service attacks,” later traced to Iranian hackers, disrupted the websites of several financial firms for days, providing a worrying example of what a cyberwar on Wall Street and Main Street banks could look like.

Cybersecurity is a critical issue for every company but, as often, financial-services firms are a special case. Each and every attack can undermine the public’s faith not just in the individual institution, but in the entire financial system.

The financial-services sector accounted for “just” 3% of all data breaches that led to identity theft in 2012, according to a recent report by Symantec Corp. But each of the average of 400,000 identities that were revealed during every one of those incidents represents a dent in the wall of trust between customers and their financial institutions.

Wall Street lawyer Rodgin Cohen put it best last week when he called cybersecurity an “existential risk.”

“Unless we do better in aligning the private sector and the public sector in hardening our systems, sooner or later there is going to be a very serious problem,” Mr. Cohen, a partner at Sullivan & Cromwell LLP, told the WSJ’s CFO Network conference.

Is enough being done? Well, there is good news and bad news.

The good news is that big banks are alert to the issue. Lenders hate to talk publicly about their efforts, but behind the scenes, large institutions are spending millions of dollars to stay a step ahead of hackers.

Richard Bejtlich, chief security officer at Mandiant Corp., a cybersecurity company, ranks defense contractors and large financial institutions as the best at responding to these threats. “They have the full spectrum of issues to deal with,” he says. “Financial-services companies have to deal with malicious insiders, people who leave the company and take information with them, fraud, espionage and denial of service attacks.”

Bank executives agree. “We have to be on top of this. We have millions of customers and even if just 1% is affected, we could be in serious trouble,” one told me recently.

The bad news is that community banks are lagging badly behind their larger brethren. The even worse news is that hackers love to target smaller businesses. Across the economy, half of the cyberattacks launched in 2012 hit businesses with fewer than 2,500 employees, according to Symantec. Nearly a third of the incidents occurred at firms with fewer than 250 staff.

“With our smaller institutions, we find that they are less prepared because they can’t throw millions and millions of dollars at the problem,” says Benjamin Lawsky, the superintendent of New York’s Department of Financial Services.

So how can small banks, often strapped for staff and resources, oppose the hacking might of, say, Iran or China? The answer may lie in something rather unusual in finance: cooperation.

Experts like Mr. Bejtlich argue that there is safety in numbers. They point to other industries, notably universities, where pooling resources and knowledge has helped bolster defenses.

Banks are loath to share information, especially technology and customer data. And even if lenders suddenly discovered their brotherly spirits, there are antitrust provisions designed to keep cooperation to a minimum.

But if ever there was a need for an exception to usual practice and competition law, this is it. Valerie Abend, the senior officer for critical infrastructure at the Office of the Comptroller of the Currency, recently said communication and coordination between banks is key when facing cyberthreats.

“A bank that’s experiencing this may have connections or interdependencies with other banks or third parties who may also be attacked,” Ms. Abend said.

In the face of ever more potent attacks from organized bad guys, strengthening the weak link in the U.S. financial chain seems like an end that could justify the means.